I want to protect my Azure private DNS against accidental deletion. At first a placed resource locks on the DNS zone. But this prevented me from deleting individual virtual network links (microsoft.network/privatednszones/virtualnetworklinks) as these are child resources, and thus also locked. I want to still be able to delete these without removing the lock first. I only want to protect the whole Zone from being deleted.
Is it possible to place locks that wont be inherited to child resources?
To protects azure private DNS against accidental deletion. Applying a CanNotDelete lock to whole zone can prevent from being deleted. CanNotDelete denotes that a resource is accessible to view and edit but cannot be deleted by other users According to my knowledge resource locks on the DNS zone Locks are inherited by child resources only
The Basic structure of resource locks states that a lock applies to child resources as well, thus if you place a lock on your resource group, all of its resources both existing and newly added will be protected.
When you apply a lock at parent scope, all resources inside of the scope inherit the same lock. Even resources you add later will have the same parent lock
Additionally, you can make use of a custom role to enable full control over a DNS resource, preventing the user account from deleting zones or modifying records of other types.
Reference:
